This policy setting configures whether BitLocker protection is required for a computer to be able to write data to a removable data drive. All removable data drives that are not BitLocker-protected will be mounted as read-only. If the drive is protected by BitLocker, it will be mounted with read and write access. The recommended state for this setting is: Enabled. Rationale: Users may not voluntarily encrypt removable drives prior to saving important data to the drive. Impact: All removable data drives that are not BitLocker-protected will be mounted as read-only. If the drive is protected by BitLocker, it will be mounted with read and write access.
To establish the recommended configuration via GP, set the following UI path to Enabled: To establish the recommended configuration, set the following Device Configuration Policy to Enabled: To access the Device Configuration Policy from the Intune Home page: Click Devices Click Configuration profiles Click Create profile Select the platform (Windows 10 and later) Select the profile (Administrative Templates) Click Create Enter a Name Click Next Configure the following Setting Path: Computer Configuration/Windows Components/BitLocker Drive Encryption/Removable Data Drives Setting Name: Deny write access to removable drives not protected by BitLocker Configuration: Enabled Select OK Continue through the Wizard to complete the creation of the profile (profile assignments, applicability etc.) Note: More than one configuration setting from each of the Configuration profiles (ex: Administrative Templates, Custom etc.) can be added to each Device Configuration Policy. Note #2: This recommendation can also be set using the Endpoint protection profile using Windows Encryption settings. Default Value: Disabled. (All removable data drives on the computer will be mounted with read and write access.)